In today’s ever-changing security landscape, teams struggle to coordinate across disparate environments for their day-to-day operations as well as during incident response. Organizations often need heterogeneous physical networks and hybrid cloud platforms to conduct business in an agile manner, but this leads to a lack of visibility and piecemeal security processes. Security teams need a platform that can provide deep, real-time network visibility and harness that information to drive automated action across security environments.
To meet these challenges, users can combine the security policy management capabilities of Tufin Orchestration Suite SecureTrack with the security orchestration and automation features of Demisto to improve end-to-end enterprise visibility and accelerate incident response.
- Get policy, topology, and topology image information from SecureTrack in Demisto, either as automated playbook tasks or through real-time execution.
- Resolve IP addresses to specific network objects by executing SecureTrack commands within Demisto.
- Leverage hundreds of Demisto product integrations to further enrich SecureTrack data and vice versa while coordinating response across security functions.
- Run thousands of commands (including for SecureTrack) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
Use Case #1
Automated incident enrichment and response
Due to a wide threat surface and disparate environments, it becomes time-consuming and repetitive for security analysts to cross-reference data across tools, get further policy context, and coordinate containment and response. Processes diverge depending on the analyst that handles the incident, leading to differing response quality.
Security teams can access granular policy, network topology, and object data from SecureTrack within Demisto through standardized and automatable playbook tasks. These playbooks can be triggered whenever an alert is detected on a relevant security tool (such as SIEMs, cloud security tools, and vulnerability scanners) and coordinate actions across the entire security product stack that an organization uses.
For instance, a playbook could query SecureTrack for NAT policies and rules for a particular device, cross-reference that data with intelligence from SIEMs and treat intelligence tools, and query SecureTrack again to determine whether policy changes are authorized.
Leveraging SecureTrack’s unique network security policy information along with data from other products through a common Demisto playbook helps minimize screen switching, manual reconciliation of data, and repetitive work for security teams. Unifying and automating response and compliance processes across cloud and on-premise infrastructures also helps security teams gain central oversight and coordinate actions at scale.
To learn more about Demisto's integration with Tufin SecureTrack, view our joint solution brief
USE CASE #2
Interactive, real-time investigation for complex threats
Apart from running automated actions, attack investigations usually require additional real-time tasks such as pivoting from one suspicious indicator to another to gather critical evidence, drawing relations between incidents, grabbing and archiving evidence, and finalizing resolution. Running these commands traps analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end.
After running enrichment playbooks, analysts can gain greater visibility and new actionable information about the attack by running SecureTrack commands in the Demisto War Room. For example, if playbook results throw up initial information, analysts can leverage the tufin-policy-search and tufin-search-topology commands to search policy and topology details respectively, adding vital information to incident context.
Analysts can also run commands from other security tools in real-time using the War Room, ensuring a single-console view for end-to-end investigation that coordinates across the product stack. The War Room will document all analyst actions and suggest the most effective analysts and command-sets with time.
The War Room allows analysts to quickly pivot and run unique commands relevant to incidents in their environment from a common window. All participating analysts will have full task-level visibility of the process and be able to run and document commands from a unified console. They will also prevent the need for collating information from multiple sources for documentation.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our free community edition below.